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(54) System and method for secure legacy enclaves in a public key infrastructure 



(57) System and method forsecure legacy enclaves 
in a Public Key Infrastructure that includes one or more 
legacy servers, client platforms, directories, and a Vir- 
tual Private Network extranet gateway. The servers con- 
tain one or more legacy applications and are connected 
to a first network. The client platforms are connected to 
a second network and contain legacy software employ- 
able by users to access the legacy applications. The di- 
rectories are connected to the second network and con- 



tain information on user authorization to access the 
servers. The gateway is connected between the servers 
and the second network. The gateway requests a sig- 
nature certificate of each user attempting access to a 
legacy application; queries the directory to confirm the 
user is allowed access to the server after authenticating 
the user; and establishes a connection between the leg- 
acy software and the legacy application if the user is 
allowed access to the server. 
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Description 

BACKGROUND 
Field of the Invention 

[0001] This invention relates to Public Key Infrastruc- 
tures (PKI), and more specifically to secure legacy en- 
claves in a PKI. 

Background Information 

[0002] A public key infrastructure (PKI) is a collection 
of servers and software that enables an organization, 
company, or enterprise to distribute and manage thou- 
sands of unique public/private cryptographic keys in a 
manner that allows users to reliably determine the iden- 
tity of the owner of each public/private key pair. When 
each member of an enterprise has a unique key, paper- 
based business processes may betransitioned to an on- 
line, electronic equivalent. Public/private key pairs have 
the property that for any given public key there exists 
one and only one private key, and vice versa. Public key 
cryptography (i.e., the ability to publicly distribute the en- 
cryption key) can be used to digitally sign documents. If 
a particular message can be decrypted using one mem- 
ber of the key pair, then the assumption is that the mes- 
sage must have been encrypted using the other mem- 
ber. If only one person knows the key used to perform 
the encryption of a document in the first place, then the 
recipients that can decrypt the document can be sure 
that the sender of the document must be that person. 
[0003] However, for a digital signature to be meaning- 
ful, the recipient of an object signed with the digital sig- 
nature must first be able to reliably determine the owner 
and integrity of the key used to sign the object. Public 
infrastructures accomplish this using an electronic doc- 
ument called a digital certificate. Certificates may con- 
tain information identifying the owner of the key pair the 
public component of the pair, and the period of time for 
which the certificate is valid. The certificate may also 
identify technical information about the key itself, such 
as the algorithm used to generate the key, and the key 
length. Certificates are generated by organizations, 
companies, or enterprises that are responsible for veri- 
fying the identity of individuals (or in some instances or- 
ganizations) to which certificates are issued. The certi- 
fying organization is known as a certificate authority. 
The certificate authority signs each certificate using a 
private key known only to the certificate authority itself. 
This allows users of the PKI to verify both the integrity 
of the certificate and the identity of the authority that is- 
sued it. By issuing a certificate, a certificate authority is 
stating that it has verified that the public key that appears 
in the certificate (and, by extension, the corresponding 
private key) belongs to the individual listed in the certif- 
icate. The integrity with which the registration process 
operates is, therefore, of great importance. The process 



must provide mechanisms for reliably identifying the in- 
dividual and for verifying that the public key listed in the 
certificate belongs to that individual. 
[0004] Fig. 1 shows a block diagram of an example 

5 PKI system architecture. Current PKIs that provide 
strong authentication of user identity accomplish this via 
the use of a local registration authority officer (LRAO) 
12. LRAO 12 operates at a work station or server plat- 
form 14 that runs a local registration authority software 

10 application 16. Server platform 14 may be any known 
computing device that may serve as a server, e.g., com- 
puter, workstation, etc. The local registration authority 
application 16 interfaces to other server platforms that 
may contain applications such as a certificate authority 

15 application 18 ; a registration authority application 20, 
and/or a key recovery authority application 22. Each ap- 
plication may be on the same server platform, or on sep- 
arate individual server platforms 14. A user 10, that is 
using or desires access to the PKI system architecture, 

20 accesses the system via a web browser 22 on a client 
platform 24. A hardware token 26, such as a smart card, 
may also be operably connectable to client platform 24. 
Typically in current systems, user 10 presents a photo 
I.D. to the local registration authority officer 12 in order 

25 to authenticate the user's identity. Local registration au- 
thority officer 1 2 then uses workstation 1 4 and local reg- 
istration authority application 16 to signal a registration 
authority application 20 to register new user 10 in the 
system. Local registration authority application 16 may 

30 be off-the-shelf product software that comes typically 
bundled with a certificate authority application 18, reg- 
istration authority application 20, and key recovery au- 
thority 22 software. 

[0005] A public/private key pair is generated by either 

35 the local registration authority application 1 6 or the reg- 
istration authority application 20 (depending on prod- 
ucts chosen and depending on how they've been con- 
figured). The public key is sent to certificate authority 
application 18 to be signed, thereby, generating a cer- 

40 tificate for new user 1 0. A backup copy of the private 
key may also be sent to key recovery authority applica- 
tion 22, however, normally the private key is kept on a 
token 26, or at client platform 24 by user 10. Once the 
public key is sent to a certificate authority 1 8 and signed, 

45 a user certificate is generated and provided to a local 
registration authority server. Local registration authority 
officer 12 copies the certificate (including the private 
key) onto a floppy disk, hardware token, or other storage 
medium, and then provides the certificate and private 

50 key to the user. 

[0006] Current PKI systems that integrate legacy ap- 
plications into the system modify software in a legacy 
application 30 resident on a legacy server 32. The mod- 
ifications are performed by a legacy developer 34 who 

55 modifies the software within the legacy application by 
modifying the source code and recompiling the applica- 
tion. The software modifications allow the legacy appli- 
cation to work with signature certificates. Modifying the 
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software within the legacy application is usually very ex- 
pensive. 

[0007] In current systems a user may attempt to ac- 
cess a legacy application 30 on legacy server 32 from 
a client's platform 24. Before access to the legacy server 
is granted, the user must present the user's signature 
certificate to the legacy application (since the legacy ap- 
plication has been modified so that a certificate from the 
user is required). Depending on an access control list 
configured in the legacy application, the legacy applica- 
tion will either grant or deny access to the user based 
on the user's signature certificate. Legacy applications 
and servers typically employ proprietary computer inter- 
faces and custom software clients. These interfaces and 
clients typically rely on a simple user ID and password 
scheme to authenticate the identity of a user. However, 
as noted previously, making significant modifications to 
these interfaces and clients to work with signature cer- 
tificates is generally very expensive. 
[0008] Therefore, a need exists for a system and 
method for integrating legacy systems into a modern 
PKI-based authentication system without requiring ex- 
pensive modifications to the legacy software. 

SUMMARY 

[0009] The present invention is directed to a system 
for secure legacy enclaves in a Public Key Infrastructure 
(PKI) that includes one or more legacy servers, one or 
more client platforms, one or more directories, and a Vir- 
tual Private Network (VPN) extranet gateway. The leg- 
acy servers contain one or more legacy applications and 
may be connected to a first network. The client platforms 
are connected to a second network. The client platforms 
contain legacy client software employable by users to 
access the legacy applications. The directories are con- 
nected to the second network and contain information 
on the users. The directories also contain information 
on each user designating whether the user is authorized 
to access the legacy servers. The VPN extranet gate- 
way is connected between the legacy servers and the 
second network. The VPN extranet gateway requests a 
signature certificate of each user attempting access to 
a legacy application to authenticate the user. The VPN 
extranet gateway queries the directory to confirm the us- 
er is allowed access to the legacy server after authen- 
ticating the user. The VPN extranet gateway establishes 
a connection between the legacy client software and the 
legacy application if the user is allowed access to the 
legacy server. 

[0010] The present invention is further directed to a 
method for secure legacy enclaves in a PKI that in- 
cludes: installing a VPN extranet gateway between one 
or more legacy servers and a legacy client platform; at- 
tempting access to a legacy application on a legacy 
server by a user employing legacy client software on the 
legacy client platform; requesting a signature certificate 
of the user by the VPN extranet gateway to authenticate 



the user; querying a directory by the VPN extranet gate- 
way after authenticating the user to confirm the user is 
allowed access to the legacy server; and establishing a 
connection between the legacy client software and the 
5 legacy application if the user is allowed access to the 
legacy server. 

[001 1] The present invention is also directed to an ar- 
ticle comprising a storage medium having instructions 
stored therein, where the instructions when executed 

10 cause a processing device to perform: receiving an at- 
tempt to access a legacy application on a legacy server 
by a user employing legacy client software; requesting 
a signature certificate of the user to authenticate the us- 
er; querying a directory to confirm the user is allowed 

15 access to the legacy server after authenticating the us- 
er; and establishing a connection between the legacy 
client software and the legacy application if the user is 
allowed access to the legacy server. 



[0012] The present invention is further described in 
the detailed description which follows in reference to the 
noted plurality of drawings by way of non-limiting exam- 
25 pies of embodiments of the present invention in which 
like reference numerals represent similar parts through- 
out the several views of the drawings and wherein: 

Fig. 1 is a block diagram of an example PKI system 
30 architecture; 

Fig. 2 is a block diagram of an exemplary system 
architecture in which PKI processes may be prac- 
ticed according to an example embodiment of the 
present invention; and 
35 Fig. 3 is a flowchart of an example process for se- 
cure legacy enclaves in a public key infrastructure 
according to an example embodiment of the present 
invention. 



[001 3] The particulars shown herein are by way of ex- 
ample and for purposes of illustrative discussion of the 
embodiments of the present invention. The description 
taken with the drawings make it apparent to those skilled 
in the art how the present invention may be embodied 
in practice. 

[001 4] Further, arrangements may be shown in block 
diagram form in order to avoid obscuring the invention, 
and also in view of the fact that specifics with respect to 
implementation of such block diagram arrangements is 
highly dependent upon the platform within which the 
present invention is to be implemented, i.e., specifics 
should be well within purview of one skilled in the art. 
Where specific details (e.g., circuits, flowcharts) are set 
forth in order to describe example embodiments of the 
invention, it should be apparent to one skilled in the art 
that the invention can be practiced withoutthese specific 
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details. Finally, it should be apparent that any combina- 
tion of hard-wired circuitry and software instructions can 
be used to implement embodiments of the present in- 
vention, i.e., the present invention is not limited to any 
specific combination of hardware circuitry and software 
instructions. 

[001 5] Although example embodiments of the present 
invention may be described using an example system 
block diagram in an example host unit environment, 
practice of the invention is not limited thereto, i.e., the 
invention may be able to be practiced with other types 
of systems, and in other types of environments (e.g., 
servers). 

[0016] Reference in the specification to "one embod- 
iment" or "an embodiment" means that a particular fea- 
ture, structure, or characteristic described in connection 
with the embodiment is included in at least one embod- 
iment of the invention. The appearances of the phrase 
"in one embodiment" in various places in the specifica- 
tion are not necessarily all referring to the same embod- 
iment. 

[0017] Fig. 2 shows a block diagram of an exemplary 
system architecture 100 in which Public Key Infrastruc- 
ture (PKI) processes may be practiced according to an 
example embodiment of the present invention. The 
present invention is not limited to the system architec- 
ture 1 00 shown in Fig. 2. The boxes shown in Fig. 2 rep- 
resent entities that may be hardware, software, or a 
combination of the two. The entities are operably con- 
nected together on a network. Entities not shown as be- 
ing connected to the network represent one or more hu- 
man beings that perform the function denoted inside the 
box. 

[0018] System architecture 100 includes Data Entry 
102 which performs a data entry function for Authorita- 
tive Database 104. Authoritative Database 104 is resi- 
dent on server platform 106. A server platform 106 is 
referred to in this description but itshould be understood 
that the present invention is not limited to any particular 
server architecture. Server platform 1 06 may be, for ex- 
ample, UNIX or Windows NT servers. 
[0019] Authoritative database 104 contains informa- 
tion about members of the group or enterprise (e.g., 
company) for which PKI services in accordance with the 
present invention may be performed. The present inven- 
tion is not limited by the structure of the group or enter- 
prise for which information is stored in the authoritative 
database 104. The information contained in Authorita- 
tive database 1 04 may include, for example, the name, 
address, telephone numbers, manager's name, em- 
ployee identification, etc., of the members of the group 
or enterprise. Directory 1 08 contains the same informa- 
tion contained in database 104, but is optimized forfast 
look-up of the information stored therein rather than fast 
data entry. The information contained in Directory 108 
may be accessed faster than accessing the information 
from database 1 04. Directory 1 08 functions similar to an 
on-line quickly accessible phone book, containing refer- 



ence information about the members of the group or en- 
terprise stored in authoritative database 1 04. 
[0020] Certificate authority 110 may be conventional 
off-the shelf software executed on server platform 1 06. 

5 Certificate authority 1 1 0 provides storage of certificates 
and related information. This will be described in more 
detail hereinafter. Registration authority 112 may also 
be off-the shelf software executable on server platform 
1 06. Registration authority 1 1 2 will also be described in 

10 more detail hereinafter. Key recovery authority 114 may 
also be off-the shelf server software executable on Serv- 
er Platform 1 06, and may provide the function of recov- 
ering keys (e.g., archived or lost keys) for members of 
the group or enterprise. 

15 [0021] A Windows 2000 Domain Certificate Authority 
(CA) 116 is shown with a dotted line connection to the 
network and may or may not be part of a system accord- 
ing to the present invention. Windows 2000 is able to 
use PKI certificates for network single sign-on, but Win- 

20 dows 2000 is designed to use only the Windows Certif- 
icate Authority Windows. Therefore, a system according 
to the present invention may include a conventional Cer- 
tificate Authority 110 as well as a 2000 Domain CA 116. 
[0022] Legacy server 1 1 8 executes legacy application 

25 programs 120. Legacy server 118 may be, without lim- 
itation, a main frame, mini-computer, workstation or oth- 
er server capable of hosting legacy software applica- 
tions. Legacy software applications generally may not 
be designed to be inherently interoperable with a PKI. 

30 Legacy applications 1 20 may be accessible on the client 
side by a custom client 1 28 such as an emulator or cus- 
tom database Graphic User Interface (GUI). Examples 
of emulators are terminal emulators of an IBM 3270 or 
terminal emulators of a vt1 00. 

35 [0023] Registration web page 1 22, which may be one 
or more pages, functions as the user interface to system 
architecture 100 shown in Fig. 1. Web Server 124 is a 
software application that serves Web Pages (such as 
web page 1 22) or other HTML outputs to a web browser 

40 client (such as web browser 1 26) . Web Server 1 24 may 
be any software application that serves Web Pages or 
HTML outputs such as, for example, Apache, Microsoft 
Internet Information Server application, etc. 
[0024] Web browser 1 26 is resident on client platform 

45 1 28 which may be any user computer or computing de- 
vice. Web browser 126 may be a client software appli- 
cation for browsing web pages such as, for example, 
HTML protocols, XML protocols, or other protocols. 
Web browser 126 may be programmed to operate with 

50 PKI certificates issued by certificate authority 110. Ex- 
amples of web browsers which have this capability in- 
clude Netscape Navigator and Microsoft Internet Ex- 
plorer. The token 130 may be a smart card, a device 
with a Universal Serial Bus (USB), or other hardware 

55 token device capable of generating, storing, and/or us- 
ing PKI certificates. 

[0025] A user 1 32 is a person that uses or desires ac- 
cess to system architecture 100. User 132 may transi- 
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tion through a number of states which include, for ex- 
ample, a new user, a current user, and a former user. A 
former user is no longer a member of the group or en- 
terprise. System architecture 100 is described with ref- 
erence to two levels of security with each level corre- 
sponding to a different security requirement. The 
number of the levels of security is not a limitation of the 
present invention. The level 1 search engine 134 may 
be a search engine that is permitted to search system 
architecture 100, but is allowed access to only level 1 
data which is the lowest level of security. Level 1 data 
may be, for example, data which is freely distributable 
whereas level 2 data may be considered to be proprie- 
tary. A Level 2 search engine 136 may be a search en- 
gine which is allowed to search both level 1 and level 2 
data. A Level N search engine (not illustrated) may be 
a search engine which is allowed to search through 
servers possessing Levels 1 through N data. 
[0026] A secured level server with Level 1 data may 
be a web server containing only level 1 data that is se- 
cured so that users may need to have level 1 access (at 
least) to access the level 1 servers. A secured web serv- 
er with level 2 data 1 40 may be a web server that con- 
tains level 2 data that has been secured so that users 
must have at least level 2 access to access the level 2 
servers. A user with level 2 access may have access to 
both level 1 and level 2 servers. A secured web server 
with level N data (not illustrated) is a web server that 
contains level N data which is accessible by users with 
level N or above. Users with level N or above access 
may have access to all levels of data up through level 
N data. 

[0027] VPN Extranet 142 may be a software applica- 
tion which functions as a network gateway, which as il- 
lustrated, may be either to legacy server 118 and legacy 
application 120 or to an external network such as the 
Internet. Personal revocation authority 144 may be one 
or more people that are in charge of revocation of mem- 
bers from system network 1 00. Personal registration au- 
thority 1 46 may be one or more people that are in charge 
of registration of members in system network 100. Per- 
sonal recovery approval 1 48 may be one or more people 
that are in charge of obtaining recovery of certificates. 
A Recovery Agent 1 50 may be one or more people that 
perform recovery of certificates and may only recover a 
certificate if the certificate has first been designated as 
recoverable by another person. Personal role approval 
152 may be one or more people that approve different 
role functions within the system network 100. A web 
server administrator may be one or more people that 
are in charge of various web functions in system network 
100. 

[0028] Systems and methods for secure legacy en- 
claves according to the present invention provide the 
combined application of digital signature certificates and 
virtual private networks (VPNs) to provide a lower cost 
solution to creating secure legacy enclaves. A legacy 
enclave may be defined as a network local area network 



(LAN) that has been segregated from the enterprise net- 
work for the purpose of isolating legacy servers and ap- 
plications. According to the present invention, legacy 
enclaves are isolated from the main network. The legacy 
5 enclaves are attached to and protected by VPNs that 
require digital signature validation and verification from 
users before allowing access to the servers and appli- 
cations of the legacy enclaves. 

[0029] A VPN extranet gateway accesses one or 
more directories, that contain digital signatures of users, 
for validation of a user/client attempting to access a leg- 
acy system. The VPN gateway effectively creates a se- 
cure enclave around the legacy system by placing it in 
a virtual network consisting only of itself (i.e., the secure 
legacy enclave). The VPN gateway allows encrypted 
access through the VPN gateway, thus, employing mod- 
ern security solutions for network-to- network (enterprise 
network-to -secure legacy enclave) activity. 
[0030] Fig. 3 shows a flowchart of an example proc- 
ess for secure legacy enclaves according to an example 
embodiment of the present invention. A VPN extranet 
gateway is inserted between one or more legacy servers 
and one or more legacy client platforms S1 . The legacy 
servers may be part of one or more legacy enclave net- 
works. The client platforms may be connected to an en- 
terprise network. The VPN extranet gateway may be in- 
serted by an enterprise network administrator. The leg- 
acy network administrator may configure the VPN ex- 
tranet gateway with users that are allowed to access the 
legacy servers S2. A user employs legacy client soft- 
ware, resident at a client platform, to attempt access to 
a legacy application on a legacy server S3. The VPN 
extranet gateway receives the attempt from the user and 
requests that the user send the user's signature certifi- 
cate S4. The VPN extranet gateway uses the user's sig- 
nature certificate to authenticate the user, i.e., validate 
that the user is indeed who the user says they are. The 
VPN gateway receives the user's signature certificate, 
authenticates the user, and queries a directory to con- 
firm the user is allowed access to the legacy server S5. 
The directory may be a database that may be connected 
to the enterprise network. The directory contains infor- 
mation on all users that are members of the enterprise, 
along with other information about each user, for exam- 
ple, whether the user is allowed access to legacy serv- 
ers. The directory accesses the user's information 
stored in the directory, and determines if the user is al- 
lowed access to the legacy server. If the user is allowed 
access to the legacy server, the VPN extranet gateway 
establishes a connection between the legacy client soft- 
ware resident on the client platform, and the legacy ap- 
plication resident on a legacy server S6. After the con- 
nection is established between the legacy client soft- 
ware and the legacy application, the legacy application 
may further require a user ID and password from the 
user before allowing the user access to the legacy ap- 
plication. 

[0031] Systems and methods for secure legacy en- 
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claves according to the present invention are advanta- 
geous in that no software changes to the legacy systems 
are required. Further, greater security is achieved by the 
requirement that someone who seeks access to the leg- 
acy system may have to provide not only a password, 
but also a digital signature certificate to a VPN. 
[0032] It is noted that the foregoing examples have 
been provided merely for the purpose of explanation 
and are in no way to be construed as limiting of the 
present invention. While the present invention has been 
described with reference to a preferred embodiment, it 
is understood that the words which have been used 
herein are words of description and illustration, rather 
than words of limitation. Changes may be made within 
the purview of the appended claims, as presently stated 
and as amended, without departing from the scope and 
spirit of the present invention in its aspects. Although 
the present invention has been described herein with 
reference to particular methods, materials, and embod- 
iments, the present invention is not intended to be lim- 
ited to the particulars disclosed herein, rather, the 
present invention extends to all functionally equivalent 
structures, methods and uses, such as are within the 
scope of the appended claims. 



Claims 

1. A system for a secure legacy enclave in a Public 
Key Infrastructure (PKI) comprising: 

at least one legacy server, the at least one leg- 
acy server containing at least one legacy appli- 
cation; 

at least one client platform operatively connect- 
ed to a network, the at least one client platform 
containing legacy client software employable 
by at least one user to access the at one legacy 
application; 

a directory operably connected to the network, 
the directory containing information on the at 
least one user, the directory further containing 
information on each at least one user designat- 
ing whether each at least one user is authorized 
to access the at least one legacy server; and 
a Virtual Private Network (VPN) extranet gate- 
way, the VPN extranet gateway operatively 
connected between the at least one legacy 
server and the network, the VPN extranet gate- 
way requesting a signature certificate of the at 
least one user attempting access to the legacy 
application to authenticate the at least one us- 
er, the VPN extranet gateway querying the di- 
rectory to confirm the at least one user is al- 
lowed access to the legacy server after authen- 
ticating the at least one user, the VPN extranet 
gateway establishing a connection between the 
legacy client software and the legacy applica- 



tion if the at least one user is allowed access to 
the legacy server. 

2. The system according to claim 1 , wherein the direc- 
5 tory comprises a database. 

3. The system according to claim 1 , further comprising 
a second network, the at least one legacy server 
operatively connected to the second network, the 

10 VPN extranet gateway operatively connected be- 
tween the second network and the network. 

4. A method for secure legacy enclaves in a Public 
Key Infrastructure (PKI) comprising: 

15 

installing a virtual private network (VPN) ex- 
tranet gateway between at least one legacy 
server and a legacy client platform; 
attempting access to a legacy application on 
20 the at least one legacy server by a user employ- 

ing legacy client software on the legacy client 
platform; 

requesting a signature certificate of the user by 
the VPN extranet gateway to authenticate the 
25 user; 

querying a directory by the VPN extranet gate- 
way after authenticating the user to confirm the 
user is allowed access to the at least one legacy 
server; and 

30 establishing a connection between the legacy 

client software and the legacy application if the 
user is allowed access to the at least one legacy 
server. 

35 5. The method according to claim 4, further compris- 
ing configuring the VPN extranet gateway with us- 
ers allowed access to the at least one legacy server 
after the installing the VPN extranet gateway be- 
tween the at least one legacy server and the legacy 

40 client platform. 

6. The method according to claim 4, wherein the di- 
rectory comprises a database. 

45 7. The method according to claim 4, further compris- 
ing requesting a user ID and password from the us- 
er by the legacy server after the connection is es- 
tablished between the legacy client software and 
the legacy application. 

50 

8. The method according to claim 4, further compris- 
ing requesting a user ID and password from the us- 
er by the VPN extranet gateway before the connec- 
tion is established between the legacy client soft- 

55 ware and the legacy application. 

9. An article comprising a storage medium having in- 
structions stored therein, the instructions when ex- 



20 



25 



50 



6 



11 



EP 1 162 807 A2 



ecuted causing a processing device to perform: 

receiving an attempt to access a legacy appli- 
cation on a legacy server by a user employing 
legacy client software; 5 
requesting a signature certificate of the user to 
authenticate the user; 

querying a directory to confirm the user is al- 
lowed access to the legacy server after authen- 
ticating the user; and 10 
establishing a connection between the legacy 
client software and the legacy application if the 
user is allowed access to the legacy server. 

10. The article according to claim 9, further comprising 15 
requesting a user ID and password from the user 
before the connection is established between the 
legacy client software and the legacy application. 

11. The article according to claim 9, receiving configu- 20 
ration information regarding users allowed access 

to the at least one legacy server. 
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